Remove RedFox Ransomware - Restore Encrypted Files

Remove RedFox Ransomware – Restore Encrypted Files

This article will help you to remove RedFox ransomware effectively. Follow the ransomware removal instructions given below in the article.

RedFox is a ransomware virus that encrypts your files. The malware is distributed as RaaS (Ransomware as a Service). The RedFox virus displays a ransom note message. Cybercriminals presenting themselves as SigmaTeam are known to be behind the threat. Also, the website which offers it is selling it for 0.1 Bitcoin and contains detailed overview of its features. In case you get your PC infected with this cryptovirus, you should be able to find instructions about paying a ransom in Bitcoin for supposedly recovering your data left by cybercriminals. Continue reading below to see how you could try to potentially restore some of your locked file data.

Threat Summary

TypeRansomware, Cryptovirus, RaaS
Short DescriptionThe ransomware encrypts files on your computer and displays a ransom message afterward.
SymptomsThe ransomware will encrypt your files and put up a ransom note inside a text file.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by RedFox


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss RedFox.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

RedFox Ransomware – Infection Spread

RedFox ransomware might spread its infection with various methods. A payload dropper which initiates the malicious script for this ransomware is being spread around the World Wide Web, and researchers have gotten their hands on a malware sample. If that file lands on your computer system and you somehow execute it – your computer system will become infected.

RedFox ransomware might also distribute its payload file on social media and file-sharing services. Freeware which is found on the Web can be presented as helpful also be hiding the malicious script for the cryptovirus. Refrain from opening files right after you have downloaded them. You should first scan them with a security tool, while also checking their size and signatures for anything that seems out of the ordinary. You should read the tips for preventing ransomware found in the forum section.

RedFox Virus – Detailed Analysis

RedFox is a virus that encrypts your files and extorts you to pay a ransom to supposedly recover them. The extortionists want you to pay in Bitcoin for the possible restoration of your files. Malware researchers have discovered that it is a RaaS (Ransomware as a service), thus it can be distributed by a number of cybercriminal groups.

RedFox ransomware might make entries in the Windows Registry to achieve persistence, and could launch or repress processes in a Windows environment. Such entries are typically designed in a way to launch the virus automatically with each start of the Windows Operating System.

The features available to this RedFox RaaS ransomware are the following:

  • Autodetected Bitcoin Payments
  • Auto Spread
  • Change Process Name
  • Change Ransom Amount
  • Command-and-control Center
  • Countdown Timer
  • Delete All Restore Points
  • Detects VM, Sandbox And Debugger Environments
  • Disable Regedit
  • Disable Safe Boot
  • Disable Shutdown
  • Disable Task Manager
  • Edit File Icon
  • Empty Recycle Bin
  • Enable USB Infection
  • Files On External Media Also Encrypted
  • Full Lifetime License
  • Fully Undetectable
  • Generate PDF Reports
  • GEO Map
  • Hide RedFox Files
  • Master Boot Record Exploit
  • Military Grade Encryption
  • Multi Language
  • No Dependency
  • Payment Page Link
  • Quick File Encryption
  • Real Time Ticket Support System For Victims
  • Secure File Erase
  • Statistics
  • Text To Speech
  • UAC Exploit
  • Unlimited Builds
  • Weekly Updates

That ransom note is unknown as it might get written by different cybercriminals who buy this RaaS on the web domain. The contents of the page can be viewed down below, in the following screenshot:

The RedFox RaaS description on the website page reads the following:

RedFox is the most advanced and customisable ransomware you’ve ever seen. It is one of the best money making scheme out here. RedFox uses BlowFish encryption to encrypt all available files on the victim’s hard disk and shared drives except .exe, .dll, .sys, other system files. During encryption RedFox will generate unique BlowFish key for each file and then encrypt the keys further with RSA-2048 encryption and will send victim’s system information back to the command-and-control center. The Command-and-control center allows you to set the ramsomware warning time duration, ransom amount, ransom message, payment mode and also allow decrypting the files on the victim system after payment is received. The victim’s computer is not completely blocked as some other ransomwares, it just opens a popup allowing the victim to access their browser to buy Bitcoins and sent to the address indicated. RedFox is a cheap and easy to manage ransomware developed by SigmaTeam. It’s meant to be really easy to use. You can also use binders, packers and crypters. RedFox can communicate with command-and-control center over Tor. RedFox is editable and you can change your own amount and bitcoin address. You can manage your victims through the command-and-control center window using filters, creating groups and also generate PDF reports with relevant statistics, charts and maps.

RedFox will also add a startup key on the Windows registry and then show a GUI telling the user that the files were encrypted and giving your email address so the user can get in touch. Every 2 hours, a random file is permanently deleted, to hurry up the victim. A countdown to the next delete, as well as the last file deleted and a count of how many files were deleted so far will be shown to the victim. Time limit will ends in 96 hours and the user will not be able to get the files back anymore. You can also enable or disable the countdown timer and set how much time you want to delete random files as well as how many files are deleted on every interval, to hasten the victim to pay the ransom faster.

The coolest RedFox feature is that, instead of paying huge servers costs monthly, we present you the “Bridges”. Bridges are the way victims and attacker enters in touch in a distributed network. Bridges store the clients keys, verify payments and provide the victims informations to the command-and-control center safely. And they can be hosted on nearly any server, even hacked servers, shared hosting, dedicated or VPS. As the bitcoin payment verification is done on the server side, by the bridge, there is no way to spoof it on the victim machine. Also, the randomly-generated decryption keys for each victim are also kept on the bridges and there is no way of recovering it without paying. The distributed Bridges network will grant you a better anonymity.

You can spread RedFox through popup offers like free music, movies, plugins, lotteries, fake anti-virus software and email spamming. With RedFox you will also have the option to have it USB auto installable with time frame. Meaning, you can install it on a portable USB and it will automatically boot and start encrypting files after a give time frame.

RedFox is fully autonomous with autodetected Bitcoin payments. Just spread and wait for the money to come. By buying RedFox, you’ll receive an all-in-one kit that will allow you to make unlimited builds. You will get the full source code of the RedFox and PDF guides on how to use it. Your only concern will be where to go next holiday.

If you have any questions you may ask us on

We hope you consider buying RedFox at its impressive price point for its functionality.


The note of the RedFox ransomware would state that your files are encrypted. You will most likely be demanded to pay a ransom in the Bitcoin cryptocurrency. However, you should NOT under any circumstances pay any ransom sum. Your files may not get restored, and nobody could guarantee that. Moreover, giving money to cybercriminals will probably motivate them to create more ransomware viruses or do other criminal activities.

In case you click on the blue “Buy Now” button, you will be redirected to the following page:

As you can see from the above screenshot, the page offers the ransomware files in exchange for paying a sum in a cryptocurrency – most notably for 0.1 Bitcoins. It is also noteworthy that there is a reference to Satan ransomware in that window.

RedFox Virus – Encryption Process

The encryption process of the RedFox ransomware is utilized with the help of the RSA encryption algorithm or at least that is stated inside the ransom note. It will encrypt your files while it may place an extension to all of the locked files.

The targeted extensions of files which are sought to get encrypted are currently unknown and if a list is discovered, it will be posted here as the article gets updated. The files used most by users and which are probably encrypted are from the following categories:

  • Document files
  • Audio files
  • Video files
  • Image files
  • Backup files
  • Banking credentials and data

The RedFox cryptovirus might be set to erase all the Shadow Volume Copies from the Windows operating system with the help of the following command:

→vssadmin.exe delete shadows /all /Quiet

If the above-stated command is executed that will make the encryption process more efficient. That is due to the fact that the command eliminates one of the prominent ways to restore your data. If your computer device was infected with this ransomware and your files are locked, read on through to find out how you could potentially recover your files.

Remove RedFox Virus and Restore Encrypted Files

If your computer got infected with the RedFox ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Tsetso Mihailov

Tsetso Mihailov

Tsetso Mihailov is a tech-geek and loves everything that is tech-related, while observing the latest news surrounding technologies. He has worked in IT before, as a system administrator and a computer repair technician. Dealing with malware since his teens, he is determined to spread word about the latest threats revolving around computer security.

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share